Schedules

Regulation 3

Schedule 1Security requirements for manufacturers

Passwords

1.—(1) The following sub-paragraphs apply to—

(a)hardware of the product when that product is not in the factory default state;

(b)software which is pre-installed on the product at the point at which the product is supplied to a customer when the product is not in the factory default state;

(c)software which is not pre-installed on the product at the point at which the product is supplied to a customer and which must be installed on the product for all manufacturer’s intended purposes of the product that use—

(i)hardware;

(ii)software that is pre-installed at the point at which the product is supplied to a customer; or

(iii)software that is installable.

(2) Passwords must be—

(a)unique per product; or

(b)defined by the user of the product.

(3) Passwords which are unique per product must not be—

(a)based on incremental counters;

(b)based on or derived from publicly available information;

(c)based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

(d)otherwise guessable in a manner unacceptable as part of good industry practice.

(4) In this paragraph, passwords do not include—

(a)cryptographic keys;

(b)personal identification numbers used for pairing in communication protocols which do not form part of the internet protocol suite; or

(c)application programming interface keys.

(5) In this paragraph—

“application programming interface key” means a string of characters used to identify and authenticate a particular user, product, or application so that it can access the application programming interface;

“cryptographic key” means data used to encrypt and decrypt data;

“factory default state” means the state of the product after factory reset or after final production or assembly;

“good industry practice” means the exercise of that degree of skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced cryptographer engaged in the same type of activity;

“incremental counter” means a method of password generation in which multiple passwords are the same save for a small amount of characters which change per password to make them unique (such as ‘password1’ and ‘password2’);

“keyed hashing algorithm” means an algorithm that uses a data input (“D”) and a secret key (“K”) to produce a value which cannot be guessed or reproduced without knowledge of both D and K;

“secret key” means a cryptographic key intended to be known only by the person (“P”) who encrypted or authorised the encrypting of the data, and any person authorised by P;

“unique per product” means unique for each individual product of a given product class or type.

Information on how to report security issues

2.—(1) The following sub-paragraphs apply to—

(a)hardware of the product;

(b)software which is pre-installed on the product at the point at which the product is supplied to a customer;

(c)software which must be installed on the product for all manufacturer’s intended purposes of the product that use—

(i)hardware;

(ii)software that is pre-installed at the point at which the product is supplied to a customer; or

(iii)software that is installable;

(d)software used for, or in connection with, any manufacturer’s intended purpose of the product unless the product is a smartphone or a tablet computer capable of connecting to cellular networks.

(2) The following information must be published—

(a)at least one point of contact to allow a person (“P”) to report to the manufacturer security issues relating to the categories listed in sub-paragraph (1) for any of the manufacturer’s relevant connectable products for which they have an obligation under section 8 (duty to comply with security requirements); and

(b)when P will receive—

(i)an acknowledgment of the receipt of a security issues report; and

(ii)status updates until the resolution of the reported security issues.

(3) The information in sub-paragraph (2) must be accessible, clear and transparent, and must be made available to P—

(a)without prior request for such information being made;

(b)in English;

(c)free of charge; and

(d)without requesting the provision of P’s personal information.

Information on minimum security update periods

3.—(1) The following sub-paragraphs apply to—

(a)hardware of the product that is capable of receiving security updates;

(b)software that is capable of receiving security updates where that software is pre-installed on the product at the point at which the product is supplied to a customer;

(c)software that is capable of receiving security updates which must be installed on the product for all manufacturer’s intended purposes of the product that use—

(i)hardware;

(ii)software that is pre-installed at the point at which the product is supplied to a customer; or

(iii)software that is installable;

(d)software developed by or on behalf of any manufacturer that is capable of receiving security updates and used for, or in connection with, any manufacturer’s intended purpose of the product unless the product is a smartphone or a tablet computer capable of connecting to cellular networks.

(2) The defined support period must be published.

(3) If a manufacturer extends the minimum length of time for which security updates will be provided, creating a new defined support period, the new defined support must be published as soon as is practicable.

(4) The information in sub-paragraphs (2) and (3) must be accessible, clear and transparent, and must be made available to a person (“P”)—

(a)without prior request for such information being made;

(b)in English;

(c)free of charge;

(d)without requesting the provision of P’s personal information; and

(e)in such a way that is understandable by a reader without prior technical knowledge.

(5) Where a manufacturer publishes an invitation to purchase a relevant connectable product on its own website or on a non-paid for website under its control that contains information described in regulation 6(4)(a) of the 2008 Regulations, the information in sub-paragraphs (2) and (3) must be published alongside or otherwise given equal prominence to the information described in that regulation.

(6) The security requirements in this paragraph are not met if the defined support period is shortened after the publication of the information in sub-paragraph (2).

(7) In this paragraph—

“the 2008 Regulations” means the Consumer Protection from Unfair Trading Regulations 2008(1);

“invitation to purchase” has the meaning given in regulation 2(1) of the 2008 Regulations.

Regulation 4

Schedule 2Conditions for Deemed Compliance with Security Requirements

Passwords

1.—(1) A manufacturer is to be treated as complying with the security requirement at paragraph 1 of Schedule 1 where the condition in sub-paragraph (2) is met.

(2) The condition is that the manufacturer complies with provision 5.1-1 of ETSI EN 303 645 and, where relevant, provision 5.1-2 of ETSI EN 303 645 as if those provisions apply to the categories of hardware and software specified in paragraph 1(1) of Schedule 1.

Information on how to report security issues

2.—(1) A manufacturer is to be treated as complying with the security requirement at paragraph 2 of Schedule 1 where the condition in sub-paragraph (2) is met.

(2) The condition is that the manufacturer complies with—

(a)provision 5.2-1 of ETSI EN 303 645; or

(b)subject to sub-paragraphs (3) and (4), the following paragraphs of ISO/IEC 29147—

(i)paragraph 6.2.2;

(ii)paragraph 6.2.5; and

(iii)paragraph 6.5

as if the provision of ETSI EN 303 645 or the paragraphs of ISO/IEC29147 apply to the categories of hardware and software specified in paragraph 2(1) of Schedule 1.

(3) A manufacturer is required to publish information as to—

(a)how a person may access the mechanism for the manufacturer to receive reports described in paragraph 6.2.2 of ISO/IEC 29147;

(b)when a person making a vulnerability report will receive an acknowledgement of receipt of a report described in paragraph 6.2.5 of ISO/IEC 29147; and

(c)when a person making a vulnerability report will receive ongoing communication as described in paragraph 6.5 of ISO/IEC 29147

(4) The information at sub-paragraph (3) must be accessible, clear and transparent, and must be made available to a person (“P”)—

(a)without prior request for such information being made;

(b)in English;

(c)free of charge; and

(d)without requesting the provision of P’s personal information.

Information on minimum security update periods

3.—(1) A manufacturer is to be treated as complying with the security requirement at paragraph 3 of Schedule 1 where the condition in sub-paragraph (2) is met.

(2) The condition is that, subject to sub-paragraphs (3), (5) and (6) of paragraph 3 of Schedule 1 and to sub-paragraphs (3) and (4), the manufacturer complies with provision 5.3-13 of ETSI EN 303 645 as if that provision applies to the categories of hardware and software specified in paragraph 3(1) of Schedule 1.

(3) References at provision 5.3-13 of ETSI EN 303 645 to “defined support period” are to be construed in accordance with the definition in regulation 2.

(4) Reference at provision 5.3-13 of ETSI EN 303 645 to the information being published in an accessible way that is clear and transparent includes making the information available to a person (“P”)—

(a)without prior request for such information being made;

(b)in English;

(c)free of charge;

(d)without requesting the provision of P’s personal information; and

(e)in such a way that is understandable by a reader without prior technical knowledge.

Regulation 6

Schedule 3Excepted connectable products

Products made available to be supplied in Northern Ireland

1.—(1) Products are excepted under this paragraph if they are products to which relevant legislation applies and are made available for supply in Northern Ireland.

(2) For the purposes of this paragraph, “relevant legislation” means legislation that is—

(a)listed in Annex 2 to the Windsor Framework; and

(b)subject to sub-paragraph (3), contains a free movement article.

(3) Where the free movement article allows, for reasons not relating to aspects covered by the relevant legislation, Member States to prohibit, restrict, or impede the making available of the product where the product complies with the relevant legislation, that legislation must also address aspects covered by Schedule 1.

(4) In this paragraph—

“free movement article” means an article that does not permit Member States to prohibit, restrict, or impede the making available of the product where the product complies with that legislation;

“Windsor Framework” has the same meaning as in Joint Declaration No. 1/2023 of the EU and the United Kingdom in the Withdrawal Agreement Joint Committee of 24 March 2023.

Charge points for electric vehicles

2.—(1) Products are excepted under this paragraph if they are charge points to which the 2021 Regulations(2) apply.

(2) This paragraph has effect as if the 2021 Regulations extended to England and Wales, Scotland and Northern Ireland.

(3) For the purposes of this paragraph, the references to “Great Britain” in regulation 3(2)(b) of the 2021 Regulations are to be read as if they were references to “the United Kingdom”.

(4) In this paragraph—

“the 2021 Regulations” mean the Electric Vehicles (Smart Charge Points) Regulations 2021(3);

“charge point” has the meaning given in section 9(1) of the Automated and Electric Vehicles Act 2018(4).

Medical devices

3.—(1) Products are excepted under this paragraph if they are products to which the Medical Devices Regulations 2002(5) apply.

(2) But a relevant connectable product on which software to which those Regulations apply is installed or operable is not an excepted product under this paragraph.

Smart meter products

4.—(1) Products are excepted under this paragraph if they are products—

(a)supplied or installed by or on behalf of a person acting in their capacity as a licence holder under—

(i)section 7AB of the Gas Act 1986(6) (licensing of a person providing a smart meter communication service); or

(ii)section 6 of the Electricity Act 1989(7) (licences authorising supply, etc.); and

(b)that have been successfully assured under an assurance scheme.

(2) In this paragraph, “assurance scheme” means the commercial product assurance scheme administered by the National Cyber Security Centre or any other successor scheme.

Computers

5.—(1) Products are excepted under this paragraph if they are computers which are—

(a)desktop computers;

(b)laptop computers;

(c)tablet computers which do not have the capability to connect to cellular networks.

(2) But products listed in sub-paragraph (1) which, according to the manufacturer’s intended purpose, are designed exclusively for children under 14 years old are not excepted products.

Regulation 7

Schedule 4Minimum Information Required for Statements of Compliance

1.—(1) The statement of compliance must include the following information—

(a)product (type, batch);

(b)name and address of each manufacturer of the product and, where applicable, each authorised representative;

(c)a declaration that the statement of compliance is prepared by or on behalf of the manufacturer of the product;

(d)a declaration that, in the opinion of the manufacturer, they have complied with either—

(i)the applicable security requirements in Schedule 1; or

(ii)the deemed compliance conditions in Schedule 2;

(e)the defined support period for the product that was correct when the manufacturer first supplied the product;

(f)signature, name and function of the signatory; and

(g)the place and date of issue of the statement of compliance.

(2) For the purpose of sub-paragraph (1)(d)(ii), where the reference includes conformity of a product to a specified standard or compliance by a manufacturer to a specified standard, the identification number, version and date of issue of the standard must be included in the statement of compliance where applicable.